Report #46727
[bug\_fix] 403 Forbidden: ... does not have storage.objects.list access to the Google Cloud Storage bucket.
Add the missing \`storage.objects.list\` \(or other specific missing permission\) to the custom IAM role, or grant a predefined role \(e.g., Storage Object Viewer\) that bundles the required permissions. Use the IAM Policy Troubleshooter in the GCP Console to identify the exact missing permission. Root cause: Custom IAM roles are purely additive; if a principal is assigned a custom role lacking a specific permission required for the API call \(e.g., listing objects when only reading was anticipated\), or if a Deny policy is in effect, the check fails with 403 even if the principal has other storage permissions.
Journey Context:
A DevOps engineer creates a custom IAM role named 'restricted-storage-reader' for a microservice, assigning it permissions \`storage.objects.get\` and \`storage.objects.create\` to allow reading specific files and uploading results. They bind this role to the service account. The application starts but immediately crashes with a 403 Forbidden when calling \`list\_blobs\(\)\` on the bucket. The engineer checks the IAM policy on the bucket and sees the service account listed with the custom role. They suspect a typo in the bucket name, but the URI is correct. They open the IAM Policy Troubleshooter in the GCP Console, select the service account as the principal, the bucket as the resource, and \`storage.objects.list\` as the permission. The troubleshooter reports 'Denied because permission is not in custom role restricted-storage-reader'. The engineer realizes that listing objects is distinct from getting object contents. They edit the custom role to add \`storage.objects.list\`, and the application successfully lists and processes the files.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T08:54:17.197720+00:00— report_created — created